News: The CJEU Invalidates Safe Harbor In the Schrems Case


To explore developments since the ruling by the European Court of Justice in the Schrems case, which invalidated the E.U. Commission’s fifteen year-old decision to permit transfers of personal data from the EU to the US under Safe Harbor, have a look below to see how the story has unfolded from October 6, 2015 until today:

From The European Court of Justice:

Please click below to download:

Schrems Decision: cp150117en

The Article 29 Working Party has suggested that the paradigm shift for U.S. companies, after the end of year, may not be as easy as a walk in the park:

IMG_6752 copy

On October 16, 2015, the Article 29 Working Party issued a statement bearing on coordinated efforts by the  Data Protection Authorities of the EU Member States and discussing enforcement, insufficiency of Safe Harbor as a mechanism to justify transfers of EU personal data to the U.S., and the status of BCRs and Model Contracts.  A29WP statement

See also news from the EU on October 26, 2015, that concerns the reverberations of Schrems and the brief forbearance of the DPAs on enforcement actions:

Reuters reports on the Remarks of the head of the A29WP:

Developments from Isabelle Falque-Pierrotin

Click Here For More EU News Updates

Further comment (in German) by German DPAs

Safe Harbor Update from the FRD

An UNOFFICIAL translation, in very uncertain draft, by an online translation bot suggests, without any assurances of accuracy or reliability whatsoever, that this text may be roughly translated as follows:

Position Paper of Privacy Conference of Data Protection Commissioners of the Federation and the Länder
After the Safe Harbor Court of Justice judgment of 6 October 2015 data is due to the Commission dated 26 July Safe Harbor decision not admissible 2000 (2000/520 / EC).
In the light of the judgment of the ECJ and the admissibility of the data transfers to the United States on the basis of the other instruments used for this purpose, such as standard contractual clauses or binding corporate rules is set (BCR) in question.
The ECJ noted that the data protection authorities of the EU Member States are not prevented irrespective of Commission decisions, to assess, in full independence, the adequacy of the level of data protection in third countries.
The ECJ called on the Commission and the data protection authorities to investigate the level of data protection in the US and other third countries (law and practice) and gives this before a concrete litmus test with strict content requirements.
As far as gaining knowledge of data protection authorities exclusively on Safe Harbor-based data transfers to the USA, they will prohibit this.
The DPAs will in exercising their powers of audit according to Art. 4 of the respective Commission decisions on standard contractual clauses on 27 December 2004 (2004/915 / EC) and of 5 February 2010 (2010/87 / EU) formulated by the ECJ principles, in particular the paragraphs 94 and 95 of the judgment, based on place.
The DPAs are currently no new authorizations for data transfers to the USA on the basis of binding corporate rules (BCR) or grant data export contracts.
Companies are therefore called upon to immediately make its methods for transferring data with data protection regulations. Companies who want to export the data in the United States or other third countries, they should also thinking of the resolution of the DSK from 03.27.2014 “guarantee of human rights in the electronic Kommunikationâ ?? and based on the guidance “cloud computing” from 09.10.2014.
Consent to the transfer of personal data may be a sound basis under strict conditions. Basically, however, the data transfer must not be repeated, mass or routinely.
When exporting data of employees or when the same data also of third parties are concerned, the consent may be a valid basis for data transmission in the United States only in exceptional cases.
The data protection authorities call on the lawmakers to grant a right of action in accordance with the judgment of the ECJ DPAs.
The Commission is invited to urge in its negotiations with the United States on the creation of sufficiently far-reaching safeguards to protect privacy. This concerns in particular the right to judicial protection, the substantive data protection rights and the principle of proportionality. Furthermore, it is necessary promptly to adapt the decisions on standard contractual clauses to the specifications laid down in the ECJ ruling.
In that regard, welcomes the DSK, the deadline of 31 January 2016 set by the Art. 29 Working Party.
The DSK called on the Federal Government to urge also on the maintenance of proper standards of fundamental rights Privacy in direct negotiations with the US government.
The DSK Calls on the Commission, Council and Parliament to bring in the current trilogue negotiations the strict criteria of the ECJ ruling in Chapter V of privacy regulation with advantage.

Many are also questioning whether a grace period on enforcement will be applied in a very limited way given that the E.U. will also begins to enforce the Right to be Forgotten